06-23-2008 09:23 PM - edited 03-11-2019 06:03 AM
Is anybody can figure out why the port mapped traffic like (smtp,www,RDP) is not going to the server Zeus. I guess is something wrong with the AAA access-list.
Thanks, for the help!
hostname ASA
names
name 10.100.50.172 Zeus
!
interface Vlan1
nameif inside
security-level 100
ip address 10.100.86.1 255.255.0.0
ospf cost 10
!
interface Vlan2
nameif outside
security-level 0
ip address xxx.yyy.15.10 255.255.255.248
ospf cost 10
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
boot system disk0:/asa802-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name foods.com
object-group service VDC
description Video Conferencing
service-object tcp source range 3230 3238 range 3230 3238
service-object tcp eq h323
service-object udp source range 3230 3258 range 3230 3258
access-list out_in extended permit tcp any host xxx.yyy.15.10 eq www
access-list out_in extended permit tcp any host xxx.yyy.15.10 eq smtp
access-list out_in extended permit tcp any host xxx.yyy.15.10 eq 3389
access-list out_in extended permit object-group VDC any host xxx.yyy.15.10
access-list AAA extended permit tcp host xxx.yyy.15.10 host Zeus eq 3389
access-list AAA extended permit tcp host xxx.yyy.15.10 host Zeus eq smtp
access-list AAA extended permit tcp host xxx.yyy.15.10 host Zeus eq www
access-list AAA extended permit tcp host xxx.yyy.15.10 host Zeus eq pptp
access-list AAA extended permit object-group VDC host xxx.yyy.15.10 host 10.100
86.5
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.100.0.0 255.255.0.0
static (inside,outside) interface access-list AAA
access-group out_in in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.yyy.15.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.100.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet 10.100.0.0 255.255.0.0 inside
telnet timeout 30
ssh timeout 5
console timeout 30
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
!
service-policy global_policy global
06-24-2008 02:40 AM
You are right, the ACL is from the perspective of the ASA, it should be the reverse:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/cfgnat.html#wp1043281
Regards
Farrukh
06-24-2008 05:27 AM
I have replaced the the statements in the AAA access-list with
#access-list AAA extended permit tcp host Zeus eq smtp host xxx.yyy.15.10 eq smtp
But it still not working. What I'm doing wrong?
06-25-2008 11:08 AM
Run the packet-tracer command and see what is going wrong.
Regards
Farrukh
06-25-2008 11:37 AM
Replace "xxx.yyy.15.10" with the word "interface" in your policy acl.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: